Snmp extend failed [1.2.6]

lexxa77 · April 9, 2021, 3:02pm

Hi

I have vyos 1.2.6

I’ve tried setup snmp extend but no luck

acoording to manual

create file bgp-rt1a.sh
/config/user-data# ls -la bgp-rt1a.sh
-r-xr-xr-x 1 root vyattacfg 98 Apr 9 17:42 bgp-rt1a.sh
just as example
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
run show interfaces
exit
configure
set service snmp script-extensions extension-name bgp1 script ‘bgp-rt1a.sh’
execute test from host and got an erros

snmpwalk -v2c -c public X.X.X.X nsExtendOutput1

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.“bgp1” = STRING: Failed to set up config session
NET-SNMP-EXTEND-MIB::nsExtendOutputFull.“bgp1” = STRING: Failed to set up config session
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines.“bgp1” = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult.“bgp1” = INTEGER: 1

Actually I want to run
/usr/bin/vtysh -c ‘show ip bgp neighbors X.X.X.X prefix-counts’ | grep PfxCt: | awk ‘{print $2}’

but runnig /usr/bin/vtysh inside script had a escalation problem

snmpwalk -v2c -c public X.X.X.X nsExtendOutput1

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.“bgp1” = STRING: % Can’t open configuration file /etc/frr/vtysh.conf due to ‘Permission denied’.
NET-SNMP-EXTEND-MIB::nsExtendOutputFull.“bgp1” = STRING: % Can’t open configuration file /etc/frr/vtysh.conf due to ‘Permission denied’.
Exiting: failed to connect to any daemons.
Hint: if this seems wrong, try running me as a privileged user!
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines.“bgp1” = INTEGER: 3
NET-SNMP-EXTEND-MIB::nsExtendResult.“bgp1” = INTEGER: 0

if I use sudo inside script

sudo /usr/bin/vtysh -c ‘show ip bgp neighbors X.X.X.X prefix-counts’ | grep PfxCt: | awk ‘{print $2}’

got an error also

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.“bgp-rt1a” = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutputFull.“bgp-rt1a” = STRING:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines.“bgp-rt1a” = INTEGER: 9
NET-SNMP-EXTEND-MIB::nsExtendResult.“bgp-rt1a” = INTEGER: 0

lexxa77 · April 10, 2021, 6:53am

It seems like there is luck of priviledes to run show commands by snmpd (with extend)

I changed script /config/user-data/scr1.sh like with (use regular linux command insead vyos show …)

#!/bin/vbash

###source /opt/vyatta/etc/functions/script-template
df
#run show ver
exit

it works fine

snmpwalk -v2c -On -c public 172.25.255.198 NET-SNMP-EXTEND-MIB::nsExtendObjects
.1.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.2.1.2.2.115.49 = STRING: /config/user-data/scr1.sh
.1.3.6.1.4.1.8072.1.3.2.2.1.3.2.115.49 = STRING:
.1.3.6.1.4.1.8072.1.3.2.2.1.4.2.115.49 = STRING:
.1.3.6.1.4.1.8072.1.3.2.2.1.5.2.115.49 = INTEGER: 5
.1.3.6.1.4.1.8072.1.3.2.2.1.6.2.115.49 = INTEGER: exec(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.7.2.115.49 = INTEGER: run-on-read(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.20.2.115.49 = INTEGER: permanent(4)
.1.3.6.1.4.1.8072.1.3.2.2.1.21.2.115.49 = INTEGER: active(1)
.1.3.6.1.4.1.8072.1.3.2.3.1.1.2.115.49 = STRING: Filesystem 1K-blocks Used Available Use% Mounted on
.1.3.6.1.4.1.8072.1.3.2.3.1.2.2.115.49 = STRING: Filesystem 1K-blocks Used Available Use% Mounted on
udev 2004092 0 2004092 0% /dev
tmpfs 403788 6572 397216 2% /run
/dev/sda1 4060864 2044284 1790584 54% /usr/lib/live/mount/persistence
/dev/loop0 276736 276736 0 100% /usr/lib/live/mount/rootfs/1.3-rolling-202104080642.squashfs
tmpfs 2018924 0 2018924 0% /usr/lib/live/mount/overlay
overlay 4060864 2044284 1790584 54% /
tmpfs 2018924 0 2018924 0% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 2018924 0 2018924 0% /sys/fs/cgroup
tmpfs 2018924 8 2018916 1% /tmp
none 2018924 548 2018376 1% /opt/vyatta/config
tmpfs 403784 0 403784 0% /run/user/1003
unionfs-fuse 2018924 548 2018376 1% /opt/vyatta/config/tmp/new_config_2985
.1.3.6.1.4.1.8072.1.3.2.3.1.3.2.115.49 = INTEGER: 14
.1.3.6.1.4.1.8072.1.3.2.3.1.4.2.115.49 = INTEGER: 0
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.1 = STRING: Filesystem 1K-blocks Used Available Use% Mounted on
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.2 = STRING: udev 2004092 0 2004092 0% /dev
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.3 = STRING: tmpfs 403788 6572 397216 2% /run
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.4 = STRING: /dev/sda1 4060864 2044284 1790584 54% /usr/lib/live/mount/persistence
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.5 = STRING: /dev/loop0 276736 276736 0 100% /usr/lib/live/mount/rootfs/1.3-rolling-202104080642.squashfs
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.6 = STRING: tmpfs 2018924 0 2018924 0% /usr/lib/live/mount/overlay
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.7 = STRING: overlay 4060864 2044284 1790584 54% /
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.8 = STRING: tmpfs 2018924 0 2018924 0% /dev/shm
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.9 = STRING: tmpfs 5120 0 5120 0% /run/lock
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.10 = STRING: tmpfs 2018924 0 2018924 0% /sys/fs/cgroup
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.11 = STRING: tmpfs 2018924 8 2018916 1% /tmp
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.12 = STRING: none 2018924 548 2018376 1% /opt/vyatta/config
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.13 = STRING: tmpfs 403784 0 403784 0% /run/user/1003
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.14 = STRING: unionfs-fuse 2018924 548 2018376 1% /opt/vyatta/config/tmp/new_config_2985

if I get back to example then got an error: Failed to set up config session

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
run show ver
exit         


snmpwalk -v2c -On -c public 172.25.255.198 NET-SNMP-EXTEND-MIB::nsExtendObjects
.1.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.2.1.2.2.115.49 = STRING: /config/user-data/scr1.sh
.1.3.6.1.4.1.8072.1.3.2.2.1.3.2.115.49 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.2.1.4.2.115.49 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.2.1.5.2.115.49 = INTEGER: 5
.1.3.6.1.4.1.8072.1.3.2.2.1.6.2.115.49 = INTEGER: exec(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.7.2.115.49 = INTEGER: run-on-read(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.20.2.115.49 = INTEGER: permanent(4)
.1.3.6.1.4.1.8072.1.3.2.2.1.21.2.115.49 = INTEGER: active(1)
.1.3.6.1.4.1.8072.1.3.2.3.1.1.2.115.49 = STRING: Failed to set up config session
.1.3.6.1.4.1.8072.1.3.2.3.1.2.2.115.49 = STRING: Failed to set up config session
.1.3.6.1.4.1.8072.1.3.2.3.1.3.2.115.49 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.3.1.4.2.115.49 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.4.1.2.2.115.49.1 = STRING: Failed to set up config session

So the question is: Is it possible to execute vyos show … commands and grab ouput via snmp extend optoion ?

lexxa77 · April 12, 2021, 9:21am

(not safe) fix by adding to /etc/sudoers

1.2.6

snmp ALL=(ALL) NOPASSWD: /usr/bin/vtysh

1.3

Debian-snmp ALL=(ALL) NOPASSWD: /usr/bin/vtysh